Keywords related to security in the package browser

Erich Schubert erich@debian.org
Mon, 28 Apr 2003 18:56:23 +0200


> Hi there Enrico,

Actually you wrote to erich ;) but we're working on that project
together.

> It would be nice if the "Security" packages were fine-grained even further.
> I would recommend dividing security packages further by adding the
> following tags:

IMHO the tags you are suggesting are too fine grained. Often they are
just a combination of two tags, or they differ by a tag.
But a couple of these tags will be added.

> - "Filesystem integrity": test the integrity of the system by storing 
> filesystem information (MD5 hashes, file types.., aide, tripwire, samhain 
> and integrit fall into this category.

I'm going to add this:
 Tag: security::integrity
 Implies: admin, security
 Description: File integrity verification

Maybe also add the "file" and "utility" tag? after all they are
utilities (not creating new information) and operate on files?

> - "Remote Vulnerability assesment": test remotely) the system for 
> vulnerabilities: nessus, raccess, whisker, nikto, bass, satan..

> - "Local Vulnerability assessment": ditto locally: tiger, sxid

These two seem to differ by the "net" tag.
"sxid" fit's into the filesystem integrity section IMHO. I think it
searches for suid files and checkes these for integrity.
by the description "tiger" is similar, so they probably should all go
into "security::integrity".

I'm not yet decided, but i think the "remote..." should be tagged
"admin, security, net, net::scanner"

> - "Network scanner": network based security tests (not VA): nmap, xprobe, 
> queso, knocker, strobe, hping2, nbtscan, icmpush, isic, fragrouter...

whereas these should only be tagged "net, net::scanner" (and "util"...
but the "application" vs. "util" thing is a real mess. we really need
some task force for these.)

Suggestion:
 Tag: net::scanner
 Implies: net
 Description: Network scanners

> - "Source code audit": Audit source code in different programming languages 
> for vulnerabilities: flawfinder, rats, spling

They fit into "devel::testing-qa" IMHO. They can be tagged
"devel::testing-qa, security" so they will form a subgroup "security"
below "testing-qa" and a "software testing and qa" subgroup below "security"

> - "Virtual Private Networks": setup a secure network between two sites: 
> vtun, tunnelv, cipe, vpnd, tinc, secvpn, pptpd, freeswan

IMHO this doesn't belong into the security section, but deserves a tag
 Tag: net::tunnel
 Implies: net
 Description: Network tunneling

Not all of them are actually "secure". these can be tagged "security" as
well as "net::tunnel".

> - "Antivirus tools": sanitizer, amavis-postfix

suggestion:
 Tag: security::antivirus
 Implies: admin, security
 Description: Anti Virus Scanner

> - "Password cracking tools": john, crack

undecided on these. cracklib and john are IMHO "authentification"
related, so probably "admin, security, authentification" is enough.

> - "Intrusion detection": snort, tiger, scanlogd, scandetd, portsentry, 
> chkrootkit

suggestion:
 Tag: security::ids
 Implies: admin, security
 Description: Intrusion Detection Systems

> - "Forensics": tct, fenris

Hmm... hard to say actually. Guess they'll also get a new tag.

> - "System Hardening": develop and maintain a bastion host: bastille, 
> harden-* packages.

harden-* should be tagged "security, special::meta" Don't know about
bastille.

> - "Kernel hardening": Patches that can be introduced in the kernel to 
> improve security:  lcap, kernel-patch-*-lids, kernel-patch-int, 
> kernel-patch-systrace, kernel-patch-*-openwall,  kernel-patch-*-lsm,   
> kernel-patch-*-grsecurity

use "security, kernel" for these.

> Also, the 'admin' tag and the 'system' tag seem quite redundant to me. It 
> has taken me quite some time to figure out that the security-related 
> packages only came up in the packagebrowser until I filtered first by 
> 'Administration and System Maintainance' and then by 'System software and 
> maintainance' and then by 'Security'.

Yes, they need some work. There needs to be a policy what they are
actually for. IMHO it's about "system administration" (meaning software)
vs. "user administraion" vs. "web administration" (if that goes into
this "admin" section actually, and we don't add an web::webmaster
section for that... ;)
More work for the to-be task force.

Greetings,
Erich Schubert
-- 
     erich@(vitavonni.de|debian.org)    --    GPG Key ID: 4B3A135C     (o_
 A man doesn't know what he knows until he knows what he doesn't know. //\
     Die Freunde nennen sich aufrichtig. Die Feinde sind es: Daher     V_/_
       man ihren Tadel zur Selbsterkenntnis benutzen sollte, als
             eine bittere Arznei.  --- Arthur Schopenhauer